Merge with version 7

cicnavi · cicnavi · commit 092bf542561d · 2025-10-10T14:31:25.000+02:00
diff --git a/docs/2-oidc-installation.md b/docs/2-oidc-installation.md
@@ -34,12 +34,14 @@ and ensure at least the following parameters are set:
 
 Note: SQLite, PostgreSQL, and MySQL are supported.
 
-## 4. Create RSA key pairs
+## 4. Create key pairs
 
 ID and Access tokens are signed JWTs. Create a public/private RSA key
 pair for OIDC protocol operations. If you plan to use OpenID Federation,
 create a separate key pair for federation operations.
 
+### RSA key pair generation
+
 Generate private keys without a passphrase:
 
 ```bash
@@ -73,6 +75,43 @@ openssl rsa -in cert/oidc_module_federation.key -passin pass:myPassPhrase -pubou
 If you use different file names or a passphrase, update
 `config/module_oidc.php` accordingly.
 
+### EC key pair generation
+
+If you prefer to use Elliptic Curve Cryptography (ECC) instead of RSA.
+
+Generate private keys without a passphrase:
+
+```bash
+openssl ecparam -name prime256v1 -genkey -noout -out cert/oidc_module.key
+openssl ecparam -name prime256v1 -genkey -noout -out cert/oidc_module_federation.key
+```
+
+Generate private keys with a passphrase:
+
+```bash
+openssl ecparam -genkey -name secp384r1 -noout -out cert/oidc_module.key -passout pass:myPassPhrase
+openssl ecparam -genkey -name secp384r1 -noout -out cert/oidc_module_federation.key -passout pass:myPassPhrase
+```
+
+Extract public keys:
+
+Without passphrase:
+
+```bash
+openssl ec -in cert/oidc_module.key -pubout -out cert/oidc_module.crt
+openssl ec -in cert/oidc_module_federation.key -pubout -out cert/oidc_module_federation.crt
+```
+
+With a passphrase:
+
+```bash
+openssl ec -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt
+openssl ec -in cert/oidc_module.key -passin pass:myPassPhrase -pubout -out cert/oidc_module.crt
+```
+
+If you use different file names or a passphrase, update
+`config/module_oidc.php` accordingly.
+
 ## 5. Enable the module
 
 Edit `config/config.php` and enable `oidc`:
diff --git a/docs/3-oidc-configuration.md b/docs/3-oidc-configuration.md
@@ -54,6 +54,12 @@ There you can see discovery URLs. Typical discovery endpoints are:
 [https://yourserver/simplesaml/module.php/oidc/.well-known/openid-configuration](https://yourserver/simplesaml/module.php/oidc/.well-known/openid-configuration)
 - OpenID Federation configuration:
 [https://yourserver/simplesaml/module.php/oidc/.well-known/openid-federation](https://yourserver/simplesaml/module.php/oidc/.well-known/openid-federation)
+- OpenID for Verifiable Credential Issuance configuration:
+[https://yourserver/simplesaml/module.php/oidc/.well-known/openid-credential-issuer](https://yourserver/simplesaml/module.php/oidc/.well-known/openid-credential-issuer)
+- OAuth2 Authorization Server configuration:
+[https://yourserver/simplesaml/module.php/oidc/.well-known/oauth-authorization-server](https://yourserver/simplesaml/module.php/oidc/.well-known/oauth-authorization-server)
+- JWT VC Issuer configuration:
+[https://yourserver/simplesaml/module.php/oidc/.well-known/jwt-vc-issuer](https://yourserver/simplesaml/module.php/oidc/.well-known/jwt-vc-issuer)
 
 You may publish these as ".well-known" URLs at the web root using your
 web server. For example, for `openid-configuration`:
diff --git a/docs/6-oidc-upgrade.md b/docs/6-oidc-upgrade.md
@@ -3,6 +3,9 @@
 This is an upgrade guide from versions 1 → 7. Review the changes and
 apply those relevant to your deployment.
 
+## TODO mivanci
+* Move to specific simplesamlphp/openid release (composer.json).
+
 ## Version 6 to 7
 
 New features:
